This is a “Magic Offline Imaging Jumpdrive” I put together that can be used for OEM imaging or offline imaging where you still need to join PC’s to the domain but don’t have access to the network when the computer is being imaged. The idea is this “Magic Jumpdrive” would allow a trusted party to image your equipment without needing access to your network, making the imaging process more secure, quicker and broadening where and when a machine could be imaged (outside maintenance windows at a site, for example).
Create the Magic Offline Imaging Jumpdrive SCCM Package
First, download my Magic Offline Imaging Jumpdrive and unzip the contents
Create a new source location for content in your SCCM data directory, and all of the files found within the OFFLINE_PACKAGE_CONTENTS folder from the file you just downloaded:
Next, create an SCCM Package (or application if you prefer) and add two programs for each of the CMD files. The command line for each program only needs to point to the name of the file, nothing more.
Setup the Magic Offline Imaging Jumpdrive OS Task Sequence
Next, choose the task sequence in SCCM that you would like to be available offline and copy it as a new Task sequence with “(OFFLINE)” in the name after it, such as “Windows 10 (OFFLINE)”.
Now, add two steps to this task sequence after the image has been applied, yet before anything you want installed on a “Domain Joined” machine. Each step simply point to the package you created earlier, with the STEP 1 and 2 in sequence:
Create the Magic Offline Imaging Jumpdrive
Now, create an offline Jumpdrive of this OFFLINE task sequence using the built in Create Task Sequence Media wizard built right into SCCM:
Put your Jumpdrive aside as we’ll need it again in a few moments.
Creating the Offline Computer Provisioning Files
Now, within the file you download, inside the ADMINISTRATIVE_TOOLS directory modify the contents of the Add_Offline_Machine.cmd file to include the OU and Domain you want the machine placed in:
djoin /provision /domain "fqdn.company.com" /machine "%computerName%" /savefile .\%computerName%.txt /machineou "OU=Offline Domain Join,OU=Workstations,OU=con,DC=corp,DC=contoso,DC=com"
and the security group you want the machine placed in:
dsmod group "CN=ISE - Offline Domain Join,OU=Your Special Offline Security Group,OU=Security Groups,OU=con,DC=corp,DC=contoso,DC=com" -addmbr "CN=%computerName%,OU=Offline Domain Join,OU=Workstations,OU=cor,DC=corp,DC=contoso,DC=com"
If you don’t care to have the machine placed in a security group, just REM out this line. However, I recommend you do add it to a special security group with restricted permissions. You can then remove it from this group later once you’ve determined to computer is in safe hands.
Now launch the tool Add_Offline_Machine.cmd which will pre-provision offline domain objects for a serious of computers. These will be the names of the computers you want to be available to offline domain join:
You’ll notice two things happened. One, you’ll find a new COMPUTERNAME.txt file in the same directory you ran the tool. This is the offline provisioning file, and you’ll want to copy it to the ROOT of the Jumpdrive:
Second, you’ll notice a computer object was created inside the OU you specified earlier. This .txt file and computer object are a special pair. Our .txt offline provision file has a trusted key inside of it that active directory will recognize and trust, and associate to this computer object later on during the process. It’s all automated, so you don’t need to worry.
Booting and Imaging the Offline Computer with the Magic Offline Imaging Jumpdrive
Now comes the fun part. Take your Jumpdrive to a computer that is not connected to the network and boot it from the Jumpdrive. Image the computer in the normal fashion. Later on in the process, you’ll be prompted with a wizard where you can choose the Offline Provision File you created earlier:
This list is generated from all of the offline provisioning .txt files you decided to add to the root of the Jumpdrive earlier. Once you select a file, the computer will join the domain as that name, EVEN WHEN NOT CONNECTED TO THE NETWORK! That’s the magic part Also, the file will be renamed from .txt to .old, indicating it has been used so the wizard does not make it available again the next time the Jumpdrive is used.
Joining the Domain
The computer images with the OS, and “thinks” it has joined your domain. In actuality the trust relationship isn’t established until the computer is plugged into your network. But of course you can already have it in the restricted security group you defined earlier, if you choose to have manual intervention in process in case the Jumpdrive was lost or stolen.
When the computer actually connects to the network, the special key/AD Computer object pair will be linked, and the computer will be on the network, joined to the domain as that computer object. Magic, isn’t it?
Once someone confirmed the computer is in good hands, the computer would be placed into a proper Security Group where it would get the standard policies.
Administrative Tool: Add_Offline_Machine.cmd
echo off color 9F cls echo ============================================================== echo Offline Domain Join Tool (dmaiolo v2017-04-28) echo ============================================================== echo. echo This tool is used to add a computer object that can be used echo during an offline domain join for purposes of imaging OEM equipment echo when not joined to the network. echo. SET /P computerName=[Enter Hostname To Add to Offline Domain Join:] REM Set your OU below where you want the computers placed. For security, you could stick these in a stagging OU that only allows access to resources once the machine has been approved by an administrator djoin /provision /domain "fqdn.company.com" /machine "%computerName%" /savefile .\%computerName%.txt /machineou "OU=Offline Domain Join,OU=Workstations,OU=con,DC=corp,DC=contoso,DC=com" echo Adding %computerName% to Jump Drive Save File... echo Adding %computerName% to Security Group... dsmod group "CN=ISE - Offline Domain Join,OU=Your Special Offline Security Group,OU=Security Groups,OU=con,DC=corp,DC=contoso,DC=com" -addmbr "CN=%computerName%,OU=Offline Domain Join,OU=Workstations,OU=cor,DC=corp,DC=contoso,DC=com" pause
Offline Join Tool: Choose_Machine_Join_File_STEP1.cmd
color 9f @echo off setlocal enabledelayedexpansion set mediaroot=d: set djoinfile=CURRENT_OFFLINE_MACHINE.DJOIN :START cls echo =========================================================================== echo JOIN MACHINE TO DOMAIN (OFFLINE) (v20160413 dmaiolo) echo =========================================================================== if exist %mediaroot%\%djoinfile% ( GOTO END ) else ( GOTO CHOOSEFILE ) :CHOOSEFILE if exist %mediaroot%\*.txt ( GOTO CHOOSEFILESTART ) else ( echo ERROR! No Domain Join files were found on the media root. echo Please add a domain join file using the djoin.exe command and try and again. echo This process will continue to look for this file every time you press any key. echo To bypass this entire process presss CTRL+C. You if you do, this computer will echo not join the domain. pause GOTO START ) :CHOOSEFILESTART echo Choose the the file associated to this machine from the list below. If you echo do not see your machine file listed, please contact the helpdesk to have echo it created, and then add it to the root of this installation media. echo - set count=0 set "choice_options=" for /F "delims=" %%A in ('dir /a:-d /b %mediaroot%\*.txt') do ( REM Increment %count% here so that it doesn't get incremented later set /a count+=1 REM Add the file name to the options array set "options[!count!]=%%A" REM Add the new option to the list of existing options set choice_options=!choice_options!!count! ) for /L %%A in (1,1,!count!) do echo [%%A]. !options[%%A]! echo - choice /D 1 /T 60 /c:!choice_options! /n /m "Enter Number From Above (Option 1 Chosen in 60 Seconds): " set var1=!options[%errorlevel%]! echo %var1% > %mediaroot%\%djoinfile% set /p var1=<%mediaroot%\%djoinfile% choice /D y /c yn /T 60 /n /m "Proceed With %var1%? (y/n) (y Chosen in 60 Seonds): " if %errorlevel%==1 (GOTO END) else GOTO CHOOSEFILE :END
Offline Join Tool: Choose_Machine_Join_File_STEP1.cmd
color 9f @echo off setlocal enabledelayedexpansion set mediaroot=d: set djoinfile=CURRENT_OFFLINE_MACHINE.DJOIN cls set /p var2=<%mediaroot%\%djoinfile% echo =========================================================================== echo JOIN MACHINE TO DOMAIN (OFFLINE) (v20160413 dmaiolo) STEP 2 echo =========================================================================== if exist %mediaroot%\%djoinfile% ( GOTO STARTJOIN ) else ( GOTO NOFILEFOUND ) :STARTJOIN echo Joining %var2% to Domain... djoin /requestODJ /loadfile %mediaroot%\%var2% /windowspath %systemroot% /localos echo Removing %var2% from the future list of options... rename %mediaroot%\%var2% *.old del %mediaroot%\%djoinfile% GOTO END :NOFILEFOUND echo No File Was Found :END